@aws-sdk/client-kms 3.218.0 → 3.220.0

package/dist-types/commands/SignCommand.d.ts

@@ -10,8 +10,8 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
 /**
  * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
  *         signature</a> for a message or message digest by using the private key in an asymmetric
- *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
- *       public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
+ *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
  *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
  *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -41,16 +41,18 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
  *         information is required to verify the signature.</p>
  *          </important>
  *          <note>
- *             <p>Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed
- *         message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message
- *         to help you detect when its time to refresh the signature. </p>
+ *             <p>Best practices recommend that you limit the time during which any signature is
+ *         effective. This deters an attack where the actor uses a signed message to establish validity
+ *         repeatedly or long after the message is superseded. Signatures do not include a timestamp,
+ *         but you can include a timestamp in the signed message to help you detect when its time to
+ *         refresh the signature. </p>
  *          </note>
  *          <p>To verify the signature that this operation generates, use the <a>Verify</a>
  *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
  *       then use the public key to verify the signature outside of KMS. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *         <p>
+ *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
  *

package/dist-types/commands/TagResourceCommand.d.ts

@@ -10,7 +10,7 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
 /**
  * <p>Adds or edits tags on a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>.</p>
  *          <note>
- *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>Each tag consists of a tag key and a tag value, both of which are case-sensitive strings.
  *       The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag

package/dist-types/commands/UntagResourceCommand.d.ts

@@ -11,7 +11,7 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  * <p>Deletes tags from a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. To delete a tag,
  *       specify the tag key and the KMS key.</p>
  *          <note>
- *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>When it succeeds, the <code>UntagResource</code> operation doesn't return any output.
  *       Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or

package/dist-types/commands/UpdateAliasCommand.d.ts

@@ -12,12 +12,12 @@ export interface UpdateAliasCommandOutput extends __MetadataBearer {
  *       only one KMS key at a time, although a KMS key can have multiple aliases. The alias and the
  *       KMS key must be in the same Amazon Web Services account and Region.</p>
  *          <note>
- *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
- *          <p>The current and new KMS key must be the same type (both symmetric or both asymmetric), and
- *       they must have the same key usage (<code>ENCRYPT_DECRYPT</code> or <code>SIGN_VERIFY</code>).
- *       This restriction prevents errors in code that uses aliases. If you must assign an alias to a
- *       different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create a new alias.</p>
+ *          <p>The current and new KMS key must be the same type (both symmetric or both asymmetric or
+ *       both HMAC), and they must have the same key usage. This restriction prevents errors in code
+ *       that uses aliases. If you must assign an alias to a different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create
+ *       a new alias.</p>
  *          <p>You cannot use <code>UpdateAlias</code> to change an alias name. To change an alias name,
  *       use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to
  *       create a new alias.</p>
@@ -27,7 +27,7 @@ export interface UpdateAliasCommandOutput extends __MetadataBearer {
  *       in the account, use the <a>ListAliases</a> operation. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *         <p>
+ *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>
  *          <p>
  *             <b>Required permissions</b>

package/dist-types/commands/UpdateCustomKeyStoreCommand.d.ts

@@ -8,47 +8,67 @@ export interface UpdateCustomKeyStoreCommandInput extends UpdateCustomKeyStoreRe
 export interface UpdateCustomKeyStoreCommandOutput extends UpdateCustomKeyStoreResponse, __MetadataBearer {
 }
 /**
- * <p>Changes the properties of a custom key store. Use the <code>CustomKeyStoreId</code>
- *       parameter to identify the custom key store you want to edit. Use the remaining parameters to
- *       change the properties of the custom key store.</p>
- *          <p>You can only update a custom key store that is disconnected. To disconnect the custom key
- *       store, use <a>DisconnectCustomKeyStore</a>. To reconnect the custom key store after
- *       the update completes, use <a>ConnectCustomKeyStore</a>. To find the connection
- *       state of a custom key store, use the <a>DescribeCustomKeyStores</a>
- *       operation.</p>
- *          <p>The <code>CustomKeyStoreId</code> parameter is required in all commands. Use the other
- *       parameters of <code>UpdateCustomKeyStore</code> to edit your key store settings.</p>
- *          <ul>
- *             <li>
- *                <p>Use the <code>NewCustomKeyStoreName</code> parameter to change the friendly name of
- *           the custom key store to the value that you specify.</p>
- *                <p> </p>
- *             </li>
- *             <li>
- *                <p>Use the <code>KeyStorePassword</code> parameter tell KMS the current password of the
- *             <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser">
- *                      <code>kmsuser</code> crypto user (CU)</a> in the associated CloudHSM cluster. You
- *           can use this parameter to <a href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password">fix connection
- *             failures</a> that occur when KMS cannot log into the associated cluster because
- *           the <code>kmsuser</code> password has changed. This value does not change the password in
- *           the CloudHSM cluster.</p>
- *                <p> </p>
- *             </li>
- *             <li>
- *                <p>Use the <code>CloudHsmClusterId</code> parameter to associate the custom key store
- *           with a different, but related, CloudHSM cluster. You can use this parameter to repair a
- *           custom key store if its CloudHSM cluster becomes corrupted or is deleted, or when you need to
- *           create or restore a cluster from a backup. </p>
- *             </li>
- *          </ul>
+ * <p>Changes the properties of a custom key store. You can use this operation to change the
+ *       properties of an CloudHSM key store or an external key store.</p>
+ *          <p>Use the required <code>CustomKeyStoreId</code> parameter to identify the custom key store.
+ *       Use the remaining optional parameters to change its properties. This operation does not return
+ *       any property values. To verify the updated property values, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p> This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> feature in KMS, which
+ * combines the convenience and extensive integration of KMS with the isolation and control of a
+ * key store that you own and manage.</p>
+ *          <important>
+ *             <p>When updating the properties of an external key store, verify that the updated settings
+ *         connect your key store, via the external key store proxy, to the same external key manager
+ *         as the previous settings, or to a backup or snapshot of the external key manager with the
+ *         same cryptographic keys. If the updated connection settings fail, you can fix them and
+ *         retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS
+ *         permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is
+ *         unrecoverable.</p>
+ *          </important>
+ *          <note>
+ *             <p>For external key stores:</p>
+ *             <p>Some external key managers provide a simpler method for updating an external key store.
+ *         For details, see your external key manager documentation.</p>
+ *             <p>When updating an external key store in the KMS console, you can upload a JSON-based
+ *         proxy configuration file with the desired values. You cannot upload the proxy configuration
+ *         file to the <code>UpdateCustomKeyStore</code> operation. However, you can use the file to
+ *         help you determine the correct values for the <code>UpdateCustomKeyStore</code>
+ *         parameters.</p>
+ *          </note>
+ *          <p>For an CloudHSM key store, you can use this operation to change the custom key store friendly
+ *       name (<code>NewCustomKeyStoreName</code>), to tell KMS about a change to the
+ *         <code>kmsuser</code> crypto user password (<code>KeyStorePassword</code>), or to associate
+ *       the custom key store with a different, but related, CloudHSM cluster
+ *         (<code>CloudHsmClusterId</code>). To update any property of an CloudHSM key store, the
+ *         <code>ConnectionState</code> of the CloudHSM key store must be <code>DISCONNECTED</code>. </p>
+ *          <p>For an external key store, you can use this operation to change the custom key store
+ *       friendly name (<code>NewCustomKeyStoreName</code>), or to tell KMS about a change to the
+ *       external key store proxy authentication credentials
+ *         (<code>XksProxyAuthenticationCredential</code>), connection method
+ *         (<code>XksProxyConnectivity</code>), external proxy endpoint
+ *         (<code>XksProxyUriEndpoint</code>) and path (<code>XksProxyUriPath</code>). For external key
+ *       stores with an <code>XksProxyConnectivity</code> of <code>VPC_ENDPOINT_SERVICE</code>, you can
+ *       also update the Amazon VPC endpoint service name (<code>XksProxyVpcEndpointServiceName</code>). To
+ *       update most properties of an external key store, the <code>ConnectionState</code> of the
+ *       external key store must be <code>DISCONNECTED</code>. However, you can update the
+ *         <code>CustomKeyStoreName</code>, <code>XksProxyAuthenticationCredential</code>, and
+ *         <code>XksProxyUriPath</code> of an external key store when it is in the CONNECTED or
+ *       DISCONNECTED state. </p>
+ *          <p>If your update requires a <code>DISCONNECTED</code> state, before using
+ *         <code>UpdateCustomKeyStore</code>, use the <a>DisconnectCustomKeyStore</a>
+ *       operation to disconnect the custom key store. After the <code>UpdateCustomKeyStore</code>
+ *       operation completes, use the <a>ConnectCustomKeyStore</a> to reconnect the custom
+ *       key store. To find the <code>ConnectionState</code> of the custom key store, use the <a>DescribeCustomKeyStores</a> operation. </p>
+ *          <p>
+ *     </p>
+ *          <p>Before updating the custom key store, verify that the new values allow KMS to connect
+ *       the custom key store to its backing key store. For example, before you change the
+ *         <code>XksProxyUriPath</code> value, verify that the external key store proxy is reachable at
+ *       the new path.</p>
  *          <p>If the operation succeeds, it returns a JSON object with no
  * properties.</p>
- *          <p>This operation is part of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store feature</a> feature in KMS, which
- * combines the convenience and extensive integration of KMS with the isolation and control of a
- * single-tenant key store.</p>
  *          <p>
- *             <b>Cross-account
- *         use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. </p>
+ *             <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.</p>
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateCustomKeyStore</a> (IAM policy)</p>
  *          <p>

package/dist-types/commands/UpdateKeyDescriptionCommand.d.ts

@@ -12,8 +12,7 @@ export interface UpdateKeyDescriptionCommandOutput extends __MetadataBearer {
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <b>Cross-account
- *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>
+ *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>
  *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateKeyDescription</a> (key policy)</p>

package/dist-types/commands/VerifyCommand.d.ts

@@ -23,21 +23,20 @@ export interface VerifyCommandOutput extends VerifyResponse, __MetadataBearer {
  *       signature.</p>
  *          <p>You can also verify the digital signature by using the public key of the KMS key outside
  *       of KMS. Use the <a>GetPublicKey</a> operation to download the public key in the
- *       asymmetric KMS key and then use the public key to verify the signature outside of KMS. To
- *       verify a signature outside of KMS with an SM2 public key, you must specify the distinguishing
- *       ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more
- *       information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline
- *       verification with SM2 key pairs</a> in <i>Key Management Service Developer Guide</i>. The
+ *       asymmetric KMS key and then use the public key to verify the signature outside of KMS. The
  *       advantage of using the <code>Verify</code> operation is that it is performed within KMS. As
  *       a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged
  *       in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use
  *       the KMS key to verify signatures.</p>
+ *          <p>To verify a signature outside of KMS with an SM2 public key (China Regions only), you must
+ *       specify the distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the
+ *       distinguishing ID. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline verification
+ *         with SM2 key pairs</a>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. </p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Verify</a> (key policy)</p>
  *          <p>

package/dist-types/commands/VerifyMacCommand.d.ts

@@ -12,13 +12,13 @@ export interface VerifyMacCommandOutput extends VerifyMacResponse, __MetadataBea
  *       KMS key, and MAC algorithm. To verify the HMAC, <code>VerifyMac</code> computes an HMAC using
  *       the message, HMAC KMS key, and MAC algorithm that you specify, and compares the computed HMAC
  *       to the HMAC that you specify. If the HMACs are identical, the verification succeeds;
- *       otherwise, it fails.</p>
- *
- *          <p>Verification indicates that the message hasn't changed since the HMAC was calculated, and
- *       the specified key was used to generate and verify the HMAC.</p>
+ *       otherwise, it fails. Verification indicates that the message hasn't changed since the HMAC was
+ *       calculated, and the specified key was used to generate and verify the HMAC.</p>
+ *          <p>HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards
+ *       defined in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>.</p>
  *          <p>This operation is part of KMS support for HMAC KMS keys. For details, see
- *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/endpoint/EndpointParameters.d.ts

@@ -12,7 +12,7 @@ export declare const resolveClientEndpointParameters: <T>(options: T & ClientInp
     defaultSigningName: string;
 };
 export interface EndpointParameters extends __EndpointParameters {
-    Region?: string;
+    Region: string;
     UseDualStack?: boolean;
     UseFIPS?: boolean;
     Endpoint?: string;